SQL Power Injector is an application created in .Net 1.1 that helps the penetration tester to
find and exploit SQL injections on a
web page.

For now it is SQL
Server, Oracle, MySQL, Sybase/Adaptive Server and DB2 compliant, but it is possible to use it with any existing
DBMS when using the inline injection (Normal mode). Indeed, the normal mode is basically the
SQL command that someone will put in the parameter
sent to the server.

If the aspect of inline SQL injection is powerful in itself, its main strength dwells in the
multithreaded automation of the injection. Not only there is a possibility to automate tedious and time consuming queries but you can also
modify the query to get only what you want. It is obviously more useful in the blind SQL injection since the other ways to exploit the SQL injection
vulnerability is more effusive and much faster when the results are displayed on the web page (union select in a HTML table and generated 500
error for instance).

The automation can be realized in two ways: comparing the expected result or by time delay. The
first way is generally compared against an error or difference between positive condition with a negative one and the second way will turn out
positive if the time delay sent to the server equals to the one parameterized in the application.

The main effort done on this application was to make it as painless as possible to find and exploit
a SQL injection vulnerability without using any browser. That is why you will notice that there is an integrated browser that will display the
results of the injection parameterized in a way that any related standards SQL error will be displayed without the rest of the page. Of course,
like many other features of this application, there are ways to parameterize the response of the server to make it as talkative to you as
possible.

Another important part of this application is its power to get all the parameters
from the web page you need to test the
SQL injection, either by GET or POST method. Like this someone won't need to use several applications or a proxy to intercept the data, all is
automated! Not only that, but now there is a Firefox plugin
that will launch SQL Power Injector with
all the information of the current webpage with its session
context (parameters and cookies).

I worked hard on the application usability but I am aware that at first use it's not too obvious. I'm
pretty confident that once the few things you need to comprehend are understood it will be quite easy to use afterwards. In order to help a
beginner to understand its basic features I created a tutorial that not only will help
him out but can also be educative for some advanced SQL injection techniques.
Moreover, You will find some great tricks in the FAQ as well and now with the version 1.2 a help file (chm) containing a
list of the most useful information for SQL injection.

Also, I designed this application the way I was making my own pen testing and how I was using
SQL injection. It has been tested successfully many times on real life web sites (legally of course) and as soon as I see something missing I'm
adding it. Now of course that it's officially available to the security community I will have to have more rigors and wait to add them in a new
version of the software. This process has already started and
many more features will come with time.

Finally, this application will be free of charge and hopefully be used to help in security
assessments made by security professionals or to further the knowledge of the techniques used. Obviously I will not be held responsible of any
misuses or damage caused by this application.

This application if powerful won't find SQL injection vulnerabilities for you nor will find the right
syntax if one found. Its main strength is to provide a way to find them more easily and once they are found to automate it in a way that you won't
need to make every single injection if the only way to inject is using the blind technique.

Moreover, I didn't intent to make it to be a database pumping application. There are plenty good
applications for that purpose. In any cases many pumped data are not relevant and since it takes time to pump it can be a real waste of time.
It's better to refine and get what you really want.

Lastly, if I added the feature (mini-browser) to have the results in an HTML format it doesn't mean that
it has all the features of a professional browser. Internet Explorer and Mozilla, to mention a few, are real complex software that it would be nearly
impossible to implement all their features in my application. That's why that you won't be able to use it as a conventional browser even though it
has the same look and feel.

To be honest, I didn't study all the other tools features in all their details. The only thing I can say is
that if they are great they always lack something important that I need when I'm doing SQL injection.

Some application will find the SQL injection for you that sometimes will result in false positive. And
others will generically pump the data of the database. Some of those applications got smarter and you can check for what you need when the list of
databases has been pumped. Or ask a specific hard coded data, such as the current DB user.

But none of them have the ability to specifically choose what you want as far as I know. That ability
comes with a cost of course, you need to know some SQL syntax, but I can assure that once someone understands how it works, not much syntax is
required.

Also, I cannot recall to have seen any application using the time delay feature inserted in the
application. Many SQL injection vulnerabilities are impossible to exploit unless you use that technique. A technique that could be really tedious and
time consuming, that often results by giving up after long hours of copy pasting the command in the browser when done manually.

I don't remember as well to have seen any multithread feature that can be most definitely a really
important time saver. Nor the ASCII characters preset feature
that can save up to 25% the blind SQL injection. (Please look at the statistics section for some figures)

I apologize in advance to those who have made their own application and made it available on the Net
that possess those features before I made SQL Power Injector available. Please let me know and I will update this section.

I didn't use any scientific methods so do not consider those statistics as scientific facts but more
as a general idea of what you can expect. Especially that no one controls the flux on the Net and I would be really hard pressed to give any
valuable scientific data. Another thing, I didn't make enough tests (10 times for each thread) to have a real statistical sample since the goal of
these numbers will be to show approximately what you can expect.

Moreover, it will depend also of the size of the data sought. Sometimes a lower number of threads
will be more effective than more. In fact, the time taken will be optimized if the length of the value is a divisible number of the number of thread.
So let's say we have 24 characters length, 3, 4, 6 and 8 will be faster than any other. As a rule of thumb, the
bigger gap of time between any thread is
from 1 to 2. As you can see the higher is not always the better. You will see some examples in the following statistics.

Even though you can go up to 50 threads, I
have discovered that around 10 threads it's starting to have
errors and getting slower and slower. So again bigger number of
threads is not necessary better. I must warn as well that the
higher number of threads is, the higher is the chances to crash
the web application (web server or database)

I must thank Nathaniel Felsen to have
allowed me to test on one of his web server.